© 2015 LOEB & LOEB LLP

Data Security and

Breach in Outsourcing

Agreements

Akiba Stern

Partner, Loeb & Loeb LLP

Kenneth Adler

Partner, Loeb & Loeb LLP

Frank Clark

Practice Counsel. Infosys

Greater New York Chapter Association of Corporate Counsel

Digital, Technology, eCommerce & Privacy Practice Group

November 19, 2015

© 2015 LOEB & LOEB LLP2

Introduction - Outsourcing Model

• Outsourcing is the transfer of internal business processes

and capabilities to an external supplier

• The basic commercial proposition is that supplier will do

• What the customer currently does

• At the same or a better level of performance

• For the same or a lower price

© 2015 LOEB & LOEB LLP

IntroductionThe Outsourcing Agreement Generally

© 2015 LOEB & LOEB LLP4

Introduction - Anatomy of the Agreement

• The key contract documents typically consist of

• Terms and conditions: the “legals”

• Services schedule: a description of the scope of services

• Service level schedule: a selective set of performance standards

• Pricing schedule: the mechanisms to calculate the supplier’s

charges

• Human resources schedule: details regarding personnel transfers,

utilization of and rules regarding supplier personnel

• Transition schedule: details regarding the transfer of assets to the

supplier, and preparation for “go-live”

© 2015 LOEB & LOEB LLP5

Introduction - Scope of Services

• Describe “Services” in broad terms

• Services “evolve”

• Scope ties to pricing

• Change control

© 2015 LOEB & LOEB LLP6

Introduction - Performance Standards

• General performance measures

• Service Levels

• Documented vs. actual service levels

• Measurable and achievable

• Flexibility and weighting

• Continuous improvement

• Service level credits and priorities

• Allow for periodic evaluation and adjustment

• Reporting

• Root cause analysis

• Correction

• Service Level credits

• Clearly understandable calculation formula

• Based on priorities

• Not designed to punish; it is an incentive for better performance

© 2015 LOEB & LOEB LLP7

Introduction - Price and Payment

• At its core, an outsourcing is the transfer of the

customer’s costs and all of its associated activities and

resources to the supplier

• The transferred costs will be among the factors utilized by

the supplier in setting a price such that the customer’s

anticipated level of spend will remain the same, less

those savings offered by the supplier

• The supplier will achieve savings by leveraging its

economies of scale and increasing operational efficiency

© 2015 LOEB & LOEB LLP8

Introduction - Exit Strategy

• The goal is to maintain flexibility to transition or

restructure all or part of the services during the term at

reasonable transition costs

• Partial or full termination for material breach

• Termination for convenience

• It may be the only effective way out of a deal

• The supplier will want, at minimum, a fee that accounts for its

investment in the deal

• The agreement might contain a methodology for determining the

fee

© 2015 LOEB & LOEB LLP

The Outsourcing AgreementData Security, Breach and Liability

© 2015 LOEB & LOEB LLP10

Data Security Obligations

• Confidentiality Obligations

• Limits on Use of Customer Data

• Compliance with Customer security policies

• Segregation of customer data

• Encryption

• Security Breach

• Service Provider obligations

• Investigate and remediate

• Cooperate

• Prevent recurrence

© 2015 LOEB & LOEB LLP11

Compliance With Law Obligations

• “Service Provider’s shall perform the Services in accordance with the Service Provider Laws and the Customer Compliance Directives such that Customer will not violate any of the Service Provider Laws or Customer Laws, respectively, as a result of the acts or omissions of Service Provider.”

• “Service Provider will promptly implement such Changes to the Services as may be necessary to correct any non-compliance with Service Provider Laws or Customer Compliance Directives.”

• “If such non-compliance is caused by Service Provider’s failure to comply with Service Provider Laws or Customer Compliance Directives, such Changes shall be a Non-chargeable Change. Otherwise, the Charges for such Changes, if any, shall be determined in accordance with the Change Procedures.”

• “Service Provider shall be responsible for fines and/or penalties imposed on Service Provider or Customer resulting from Service Provider’s failure to comply with Service Provider Laws or Customer Compliance Directives.”

© 2015 LOEB & LOEB LLP12

Compliance With Law Obligations

• “Data Protection. Without diminishing Service Provider’s

obligations in this Section 12:”

• “Each Party shall at all times comply with its obligations under all

Laws in relation to data protection, safeguarding, privacy or the

interception, recording or monitoring of communications (“Data

Protection Laws”) in connection with the Services.”

© 2015 LOEB & LOEB LLP13

Reimbursement of Notification Related Costs

• Reimbursement of Notification Related Costs (i.e., Customer’s internal and external costs associated with addressing and responding to the Security Breach, including:)

• preparation and mailing or other transmission of legally required notifications;

• preparation and mailing or other transmission of such other communications to customers, agents or others as Customer deems reasonably appropriate;

• establishment of a call center or other communications procedures in response to such Security Breach (e.g., customer service FAQs, talking points and training);

• public relations and other similar crisis management services;

• legal and accounting fees and expenses associated with Customer’s investigation of and response to such event;

• costs for commercially reasonable credit reporting services that are associated with legally required notifications or are advisable under the circumstances; and

• court costs, reasonable fees and expenses of attorneys, accountants and other experts and all other reasonable fees and expenses of litigation or other proceedings.

© 2015 LOEB & LOEB LLP14

Service Provider Indemnification

• Fines and penalties in respect of Service Provider’s failure to obtain, maintain or comply with the approvals, licenses, consents, permits or authorizations required to be obtained, maintained or complied with by Service Provider pursuant to the Agreement

• A breach by Service Provider of Service Provider’s obligation to comply with Laws under the Agreement

• Any breach by Service Provider of Service Provider’s confidentiality, customer data use and security breach obligations under the Agreement

• Acts or omissions of Service Provider, its Subcontractors or any Service Provider Personnel other than in accordance with the terms hereof, which cause loss or disclosure of Customer Data, including all Notification Related Costs arising out of or in connection therewith

© 2015 LOEB & LOEB LLP15

Liability Structure

• General Intent:

• A party is liable to other for any actual damages suffered or incurred by the other party’s failure to perform its obligations in the manner required by the Agreement

• Each party shall have a duty to mitigate damages for which the other party is responsible

• Common Supplier-requested Limits on Liabilities:

• Limits on Liability Type: Not liable for consequential damages

• Limits on Liability Amount: Not to exceed 12 month’s worth of charges

• The limits on liabilities do not apply to damages attributable to or occasioned by:

• A party’s willful misconduct or gross negligence

• A party’s breach of its confidentiality obligations

• Government fines and penalties levied against Customer in respect of Service Provider’s breach of its compliance with Laws obligations under the Agreement

• A party’s violation of law

• Service Provider’s breach of its obligations with respect to Customer Data

• Notification Related Costs for which Service Provider is obligated to reimburse Customer under the Agreement

• Losses that are the subject of indemnification

© 2015 LOEB & LOEB LLP16

Contact Information

Akiba SternPartner

Loeb & Loeb LLP

212.407.4235

astern@loeb.com

Kenneth AdlerPartner

Loeb & Loeb LLP

212.407.4284

kadler@loeb.com

Frank ClarkPractice Counsel

Infosys

646.254.3112

Frank_clark@infosys.com